An issue was discovered in OpenNDS Captive Portal before version 10.1.2. When the custom unescape callback is enabled, attackers can execute arbitrary OS commands by inserting them into the URL portion of HTTP GET requests.
References
Link | Resource |
---|---|
https://github.com/openNDS/openNDS/releases/tag/v10.1.2 | Release Notes Vendor Advisory |
Configurations
History
23 Nov 2023, 03:35
Type | Values Removed | Values Added |
---|---|---|
References | () https://github.com/openNDS/openNDS/releases/tag/v10.1.2 - Release Notes, Vendor Advisory | |
First Time |
Opennds
Opennds captive Portal |
|
CPE | cpe:2.3:a:opennds:captive_portal:*:*:*:*:*:*:*:* | |
CVSS |
v2 : v3 : |
v2 : unknown
v3 : 9.8 |
CWE | CWE-116 |
17 Nov 2023, 06:15
Type | Values Removed | Values Added |
---|---|---|
New CVE |
Information
Published : 2023-11-17 06:15
Updated : 2023-12-10 15:26
NVD link : CVE-2023-38316
Mitre link : CVE-2023-38316
CVE.ORG link : CVE-2023-38316
JSON object : View
Products Affected
opennds
- captive_portal
CWE
CWE-116
Improper Encoding or Escaping of Output